Malware Analysis Report

2024-10-19 09:31

Sample ID 240510-mg764scf79
Target 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
SHA256 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
Tags
formbook se62 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63

Threat Level: Known bad

The file 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63 was found to be: Known bad.

Malicious Activity Summary

formbook se62 rat spyware stealer trojan

Formbook

Formbook payload

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 10:27

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 10:27

Reported

2024-05-10 10:29

Platform

win7-20240215-en

Max time kernel

149s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2940 set thread context of 1140 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2940 set thread context of 1140 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2480 set thread context of 1140 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2244 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2244 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2244 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2244 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1140 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1140 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1140 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1140 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 2480 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2600 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wkb41961shv.com udp
US 8.8.8.8:53 www.omf.fo udp
US 44.227.76.166:80 www.omf.fo tcp
US 8.8.8.8:53 www.521745.cc udp
KR 104.37.214.75:80 www.521745.cc tcp
US 8.8.8.8:53 www.isthistheyearofsrt.com udp
US 76.223.105.230:80 www.isthistheyearofsrt.com tcp
US 8.8.8.8:53 www.hizlitakibin.com udp

Files

memory/2244-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

memory/2940-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2940-12-0x00000000008A0000-0x0000000000BA3000-memory.dmp

memory/2940-16-0x00000000001C0000-0x00000000001D5000-memory.dmp

memory/1140-14-0x0000000000100000-0x0000000000200000-memory.dmp

memory/2940-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1140-17-0x0000000007040000-0x0000000007182000-memory.dmp

memory/1140-22-0x0000000006650000-0x000000000677D000-memory.dmp

memory/2940-21-0x0000000000210000-0x0000000000225000-memory.dmp

memory/2940-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1140-19-0x0000000007040000-0x0000000007182000-memory.dmp

memory/2480-24-0x0000000000150000-0x000000000016A000-memory.dmp

memory/2480-23-0x0000000000150000-0x000000000016A000-memory.dmp

memory/2480-25-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1140-27-0x0000000006650000-0x000000000677D000-memory.dmp

memory/1140-30-0x0000000005080000-0x000000000516D000-memory.dmp

memory/1140-32-0x0000000005080000-0x000000000516D000-memory.dmp

memory/1140-35-0x0000000005080000-0x000000000516D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 10:27

Reported

2024-05-10 10:29

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

144s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3884 set thread context of 4456 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 4456 set thread context of 3436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4856 set thread context of 3436 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 704

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.4ast6.us udp
DE 91.195.240.123:80 www.4ast6.us tcp
US 8.8.8.8:53 123.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 www.herendkdocsmicroviewj.com udp
US 8.8.8.8:53 www.521745.cc udp
KR 104.37.214.75:80 www.521745.cc tcp
US 8.8.8.8:53 75.214.37.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.9072316z.vip udp
US 8.8.8.8:53 www.kinghood.co udp
CA 23.227.38.74:80 www.kinghood.co tcp
US 8.8.8.8:53 74.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 www.465172.com udp
GB 13.224.81.9:80 www.465172.com tcp
US 8.8.8.8:53 9.81.224.13.in-addr.arpa udp

Files

memory/3884-10-0x0000000000FB0000-0x0000000000FB4000-memory.dmp

memory/4456-11-0x00000000006F0000-0x000000000071F000-memory.dmp

memory/4456-14-0x0000000001100000-0x000000000144A000-memory.dmp

memory/4456-16-0x0000000001580000-0x0000000001595000-memory.dmp

memory/4456-15-0x00000000006F0000-0x000000000071F000-memory.dmp

memory/3436-17-0x0000000002E60000-0x0000000002F66000-memory.dmp

memory/4856-20-0x0000000000D60000-0x0000000000D77000-memory.dmp

memory/4856-18-0x0000000000D60000-0x0000000000D77000-memory.dmp

memory/4856-21-0x00000000012E0000-0x000000000130F000-memory.dmp

memory/3436-23-0x0000000002E60000-0x0000000002F66000-memory.dmp

memory/3436-26-0x0000000008DF0000-0x0000000008F4A000-memory.dmp

memory/3436-27-0x0000000008DF0000-0x0000000008F4A000-memory.dmp

memory/3436-30-0x0000000008DF0000-0x0000000008F4A000-memory.dmp